2022-05-20 21:15:05 +02:00
---
2022-12-02 09:20:19 +01:00
title: "Xen Orchestra"
2022-11-19 15:25:20 +01:00
visible: true
2022-05-20 21:15:05 +02:00
---
2022-06-06 18:34:39 +02:00
[toc]
2022-12-02 09:20:19 +01:00
2022-05-20 21:15:05 +02:00
## Installation
2022-12-02 09:20:19 +01:00
> Use the script [XenOrchestraInstallerUpdater](https://github.com/ronivay/XenOrchestraInstallerUpdater) to install Xen Orchestra from sources.
2022-05-20 21:15:05 +02:00
### Installation within VM
2022-12-02 09:20:19 +01:00
2022-05-20 21:15:05 +02:00
The supported distibutions are listed in the Github README.
2022-12-02 09:20:19 +01:00
The script can be run with `# ./xo-install.sh --install`
2022-05-20 21:15:05 +02:00
### Installation from dom0
2022-12-02 09:20:19 +01:00
2022-05-20 21:15:05 +02:00
For an installation from dom0, you can deploy a premade VM.
2022-12-02 09:20:19 +01:00
Run `# xo-vm-import.sh` to import that VM.
2022-05-20 21:15:05 +02:00
### Installation as container
2022-12-02 09:20:19 +01:00
2022-05-20 21:15:05 +02:00
You need to explicitly allow host loopback for the container, or it won't be able to access the local ssh tunnel we'll create later
2022-12-02 09:20:19 +01:00
We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh tunnel
2023-02-23 14:48:51 +01:00
```sh
podman run -itd --name xen-orchestra \
2022-05-20 21:15:05 +02:00
--net slirp4netns:allow_host_loopback=true \
-p 8080:80 \
docker.io/ronivay/xen-orchestra
```
## Secure Connection to Xenserver
2022-12-02 09:20:19 +01:00
2022-05-20 21:15:05 +02:00
By default, dom0 exposes the Xen API on port 443. However, in public settings this would be a security risk, as anyone with enough time could find the access password.
A local SSH tunnel is established, forwarding port 443 on dom0 instead.
2022-12-02 09:20:19 +01:00
One prerequisite is ssh-key based access to dom0 from the xen orchestra VM. See [SSH ](/remote/ssh )
2022-05-20 21:15:05 +02:00
> Based on testing and [this forum post](https://xen-orchestra.com/forum/topic/528/connection-port-in-settings-servers-not-used-for-console) it is known the Xen API returns the dom0 public IP address for additional connections within Xen Orchestra. This includes the VM console and usage statistics for example.
2022-12-02 09:20:19 +01:00
To work around this issue, a firewall rule can be used to redirect traffic outbound to dom0 on port 443 to the local ssh tunnel instead.
2022-05-20 21:15:05 +02:00
### SSH Tunnel
2022-12-02 09:20:19 +01:00
To start and stop the tunnel automatically a systemd service is used. It is a special kind of service, similar to wireguards `wg-quick@(vpn config)` in its function.
`/etc/systemd/system/local-tunnel@.service`
2023-02-23 14:48:51 +01:00
```systemd
2022-05-20 21:15:05 +02:00
[Unit]
Description=Setup a local tunnel to %I
After=network.target
[Service]
EnvironmentFile=/etc/default/local-tunnel@%i
ExecStart=/usr/bin/ssh -i ${PATH_TO_KEY} -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -nNT -L ${LOCAL_PORT}:${REMOTE_ADDR}:${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST}
RestartSec=15
Restart=always
KillMode=mixed
[Install]
WantedBy=multi-user.target
```
The corresponding config looks as follows:
2022-12-02 09:20:19 +01:00
`/etc/default/local-tunnel@evileye`
2022-05-20 21:15:05 +02:00
```
PATH_TO_KEY=(path to key)
LOCAL_PORT=(local port, e.g. 4853)
REMOTE_ADDR=(destination, e.g. 182.52.32.12)
REMOTE_PORT=443
REMOTE_USER=(remote user)
REMOTE_HOST=(also destination in this case)
```
This service can be enabled and started with this command.
2022-12-02 09:20:19 +01:00
`# systemctl enable --now local-tunnel@evileye.service`
2022-05-20 21:15:05 +02:00
### Firewall Redirection
2022-12-02 09:20:19 +01:00
`firewalld` will be used as firewall and to implement the redirection rule.
2022-05-20 21:15:05 +02:00
Make sure to enable the firewalld service
2022-12-02 09:20:19 +01:00
`# systemctl enable --now firewalld`
2022-05-20 21:15:05 +02:00
2022-12-02 09:20:19 +01:00
This command implements a redirection rule for packets to _destination_ with _destination port_ . Packets are redirected to localhost:_port_. The _target port_ should be the local port of the local SSH tunnel.
`# firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -d (destination) -p tcp --dport (dest. port) -j DNAT --to-destination 127.0.0.1:(target port)`
2022-05-20 21:15:05 +02:00
This type of rule can be viewed with the following command:
2022-12-02 09:20:19 +01:00
`# firewall-cmd --direct --get-rules ipv4 nat OUTPUT`
2022-05-20 21:15:05 +02:00
2022-12-02 09:20:19 +01:00
To remove this rule again, edit `/etc/firewalld/direct.xml`
2022-05-20 21:15:05 +02:00
## Firewalld
2022-12-02 09:20:19 +01:00
This section provides documentation on basic firewall usage. For example, allowing port 22/tcp for ssh with `firewalld` .
> In general, [this guide by Digital Ocean](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7) provides a good starting point.
2022-05-20 21:15:05 +02:00
2022-12-02 09:20:19 +01:00
For this Host the services `http` , `https` and `ssh` are allowed.
2022-05-20 21:15:05 +02:00
## VM Backups
2022-12-02 09:20:19 +01:00
2022-05-20 21:15:05 +02:00
### Exclude VM Disks from Backup
2022-12-02 09:20:19 +01:00
To exclude disks from backup jobs, one can prepend the disk name with `[NOBAK]`
> Also see [the official documentation](https://xen-orchestra.com/docs/backups.html#exclude-disks)
2022-12-02 09:20:09 +01:00
### Remove stale backups
> [Backup list has a stale entry - how do I remove it?](https://xcp-ng.org/forum/topic/6462/backup-list-has-a-stale-entry-how-do-i-remove-it/2)